I have two questions about my form , how do i prevent the form from sending empty non required fields (like if someone doesn't have a phone number, also how do i prevent the form from sending harmful characters to my server ?
I did some research and i think the answer may be in ISEMPTY but i don't know how to implement it.

strip_tags() is a function used to strip of all the tags form the code. If you want to prevent people from submitting harmful tags/code you can implement it as follows.
<code>
<?php
$text='Hello' ;
if(strip_tags($text)==$text)
{
echo 'safe' ;
}
else
{
echo 'unsafe' ;
}

?>

06-12-2014, 01:52 AM

ArunNalla

Sorry for the reply above I just accidentally posted it and can't find the delete button. However, to prevent any harmful data from being submitted to your database you can implement something like this below.strip_tags() function removes tags form the data.

Code:

if(strip_tags($_POST["name"])==$_POST["name"] AND strip_tags($_POST["email"]==$_POST["email"] and so on check all fields you have similarly)
{
//Store data to database
}
else
{
//Generate some error
}

What the above code does is check if strip_tags[$var]==$var. If it is equal the data is not harmful and can be stored in database. If it is not equal the user has submitted some harmful data and it will be rejected.

I don't think submitting empty data to database would be a problem because even if you do not submit data it would be empty however you can avoid submitting spaces by using trim() command.

06-12-2014, 06:30 AM

whitt

So this form doesnt actually send to a database it just uses mail to send an email.

so would

<CODE> if(strip_tags($_POST["name"])==$_POST["name"] AND strip_tags($_POST["email"]==$_POST["email"] and so on check all fields you have similarly)
{
//Store data to database
}
else
{
die();
} </CODE>

if (count($errors)) { // If there is missing data we say what is missing and terminate the script
echo implode("\n", $errors); // this squishes the array data into a string separated by new lines
exit; // you may want to do something else here, but this is just my quick answer
}

//$headers = "Contact form enquiry"; // This does nothing good, it's not used like that

$result = mail($to,$subject,$message,$headers); // we should check the result

if ($result) { // you may want to do something else here, but this is just my quick answer
echo 'Mail added to send queue'; // this does not mean the email is or will be received, but it's the closest we can get at this point
} else {
echo 'Error, mail not sent';
}
?>

Please note, I didn't test any of this code or think about it too much, it was a spur of the moment quick thing. Those don't always work, but it's a start.

1) It's a REALLY bad idea to override a natural forms behavior with scripttardery; and if you DO, the form should still work scripting off as a normal submit... so where's your actual form.

2) You should NEVER trust that your scripting will be what sends the form, so any 'validations' you do should ALSO be done server side...

3) Stop making PHP variables for no reason, they already exist inside $_POST, use them.

4) in JS if you have multiple VAR declarations in a row, you only need to say VAR once, then comma delimit the rest!

This all really reeks of putting JS on the page before you had it working without scripting FIRST... and as the unwritten rule of JS goes "If you can't make the page work without scripting FIRST, you likely have no business adding JavaScript to it!"

Scripting should enhance, not replace functionality -- which is why you really should have markup and server-side doing everything before you even THINK about throwing scripting at it, particularly for a form!

Could we see the actual form? Where is your PHP side validation equivalent to your scripted one, since you should have done that before even playing around with client side "validation" (which doesn't actually do a blasted thing in terms of security)